Configuring the ObjectServer for user authentication

If users are authenticated in the ObjectServer, you can control the user authentication mechanism by setting ObjectServer properties. You can change the encryption algorithm for passwords, or restrict the passwords to a specific format, or both.

Before you begin

Note: To configure the OMNIbus ObjectServer to provide authentication, authorization and SSO for IBM Operations Analytics Log Analysis, see: https://www.ibm.com/support/pages/node/6381830

Procedure

  • To change the encryption algorithm for the passwords, set the PasswordEncryption property to the required value.
    This property defines the encryption scheme that is used to encrypt user passwords that are stored in the ObjectServer. Possible values are as follows:
    • DES: Data Encryption Standard encryption. Only the first eight characters of a DES-encrypted password are read. Additional characters are ignored.
    • AES: Advanced Encryption Standard (AES128) encryption. Only the first 16 characters of an AES128-encrypted password are read. Additional characters are ignored. In FIPS 140–2 mode, the AES option is mandated by the system. Functionality delivered in fix pack
24 In Fix Pack 24, the AES scheme is enhanced to support longer passwords, up to a maximum of 64 characters, due to storage limitations. For users that do not have OMNIbus client libraries and due to password size limitations with the JDBC jConnect library, any user with a password greater than 30 characters cannot exchange the full password with the ObjectServer and cannot log in to the server. To successfully log in, these user passwords must be no greater than 30 characters.
    For non FIPS 140-2 installations, the default is DES. For FIPS 140-2 mode, the default is AES.
  • To restrict the format of the passwords, set the RestrictPasswords property to TRUE.

    Functionality delivered in fix pack
25The following password restriction parameters are available in Fix Pack 25. In an upgraded system these parameters might not be present in the properties file. The new parameters are not automatically added into existing properties files.

    • PasswordInHistory stores a password history of the last specified number of passwords for each user. Specify a value greater than 0. The default value is 0 (disabled). When a user attempts to change their password, the new password is checked against the stored passwords for that user. If the new password is found in the password history, the new password is rejected and the user must select a new password.
    • PasswordMinAge prevents users from changing their password before a certain number of days. Specify a value greater than 1. The default value is 0 (disabled).
    • PasswordMaxAge Specify a value greater than 0. The default value is 0 (disabled). When a user logs into the system their password age is checked. If the password has exceeded the maximum permitted age, the login attempt is rejected. Only the root user is exempt from this restriction. If the PasswordMaxAge parameter is configured, the alert_user_to_old_passwords trigger, or a similar custom version, should be enabled. For more information, see Standard Tivoli Netcool/OMNIbus automations.
  • To specify the format to which the passwords are restricted, set the PasswordFormat property to the required value.
    The property defines the format of user passwords. It works only when the RestrictPasswords property is set to TRUE. Specify the value of this property as a colon-separated set of integer values. Each value defines a password requirement. The format is:min_len:alpha_num:digit_num:punct_num:contains username where:
    • min_len is the password length.
    • alpha_num is the minimum number of alphabetic characters.
    • digit_num is the minimum number of numeric characters.
    • punct_num is the minimum number of punctuation characters.
    • Resolved from fix pack
7contains username controls whether a password can contain the user name or not, where 0 means the user name is not permitted, while 1 means the user name is permitted in the password. The default setting is 1.
    • Functionality delivered in fix pack
25accept_max_consecutive controls whether a password can contain a certain number of consecutive user name characters or not, where 0 means the limit is not applied, while 3 means that three consecutive user name characters are permitted. The default setting is 0.
    The minimum alphabetic, numeric, and punctuation character requirements must be satisfied within the number of characters specified by the minimum password length. The default value of 8:1:1:0:1:0 must contain 1 alphabetic character and 1 numeric character in the first 8 characters of the password string.
    For example, if the property is set to 8:1:1:0:1:0 and a user specifies the password abcdefgh590675, the password is rejected because the first 8 characters contains no numeric characters.
    After this property is set, the ObjectServer validates all new or changed passwords against this requirement and passwords that do not meet the requirement are rejected. Existing passwords are not validated. For example, if you change the Resolved from fix pack
7contains username property to 0 from the default 1, only passwords of new users added by the CREATE USER command, or passwords of existing users modified with the ALTER USER command are validated to check for the occurrence of a user name in the password.

Example

To help you understand the effects of the RestrictPasswords and PasswordFormat properties, and the PasswordEncryption property, consider the following example:

  • RestrictPasswords is set to TRUE.
  • PasswordFormat is set to the default, 8:1:1:0:1:0.
  • PasswordEncryption is set to the default, DES.

If a user creates the password 1234abcdxyz, this password is accepted because it meets the requirement specified by the PasswordFormat property: a minimum of 8 characters, a minimum of 1 alphabetic character and a minimum of 1 numeric character with no limit to the number of consecutive user name characters. Because DES encryption is set, only the first 8 characters, 1234abcd, are read. The characters xyz are ignored. Consequently, the same user could log in with the password 1234abcdxxx. Because only the first 8 characters are significant for encryption, and the password formatting requirements are met, the incorrect password is accepted.